Hello Thanks for the summary of the problem - actually I never thought about OPTIONS method ;)
So let me present the picture: - TRACE method is disabled at Pax Web level itself and it was implemented with https://github.com/ops4j/org.ops4j.pax.web/issues/563 / PAXWEB-229 >10 years ago. I have no idea why HTTP/500 (Internal Server Error) instead of HTTP/405 (Method Not Allowed) was chosen... - Because runtimes (Jetty/Tomcat/Undertow) aren't aware of PAXWEB-229, it means OPTIONS still returns TRACE - In Pax Web 8 I've reimplemented the TRACE method removal using runtime-specific mechanisms: - Jetty: org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler#doHandle() - Tomcat: org.apache.catalina.connector.Connector#setAllowTrace(false) (no way to configure it to true) - Undertow: io.undertow.server.handlers.DisallowedMethodsHandler - configured using http(s)-listener/@disallowed-methods attribute (defaults to "TRACE"). - In Pax Web 7 looks like it's only for Jetty, nothing for Tomcat and "disallowed-methods" attribute is not handled for Undertow (it is in Pax Web 8) So you made me realize, that OPTIONS method may return TRACE on Pax Web 8 for Jetty runtime. It should be fine on Tomcat and Undertow, but I've created https://github.com/ops4j/org.ops4j.pax.web/issues/1664 to check this. regards Grzegorz Grzybek wt., 28 gru 2021 o 17:32 Daniel Stoch <[email protected]> napisaĆ(a): > Hi, > > I am using PaxWeb 7.2.x and servlet registration using whiteboard. > By default Jetty allows to call OPTIONS http method which returns: > > *Allow*: GET, HEAD, POST, TRACE, OPTIONS > For other known methods a proper 403 error is returned. > For other unknown methods (eg. BLABLA) 501 is returned (maybe not the best > options from security reasons). > For TRACE method PaxWeb raises an exception and return 500 (I don't not > why it is blocked in PaxWeb code?). > > I need to limit this list of allowed methods for my app, eg. only to: GET, > POST. > And then server should return 403 for all others. > > I can implement a dedicated servlet filter for this, but maybe it is > another a better way to do this? Especially when the OPTIONS method will be > available server should return only configured Allowed methods in response > header. > > Is there any options for doing this in PaxWeb 7 using whiteboard? Or maybe > it should be done directly in Jetty configuration using jetty.xml? > > -- > Best regards, > Daniel Stoch > > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - [email protected] > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/329ce887-9d33-411b-8797-cae4ab9aa08bn%40googlegroups.com > <https://groups.google.com/d/msgid/ops4j/329ce887-9d33-411b-8797-cae4ab9aa08bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/CAAdXmhq6710rVyKH%2BzCxvTKMri3aVzX4siMH%2Bi3EMxAU6Q0Umw%40mail.gmail.com.
